Part of the RECOVER Playbook ← Return to Hub

Offline Backup Verification

Recovery Objective: To ensure the “Last Line of Defense” (the offline backup) is physically secure, uncorrupted, and ready for deployment without shore-side assistance.

An “Offline Backup” is only truly offline if it requires a human to walk to a cabinet and physically plug it in. In maritime cyber-security, this Air-Gap is your only 100% guarantee against Ransomware that targets backup servers.

The Immutable Storage Protocol

To meet UR E26 §4.5.2, the ETO must manage recovery media using a strict rotation. If the ship is hit by an attack at 03:00, you must have a backup from 00:00 that was already unplugged.

Storage Type Security Status Purpose
NAS / Server ONLINE (At Risk) Daily automated snapshots; high convenience.
Removable SSD OFFLINE (Safe) Weekly manual clones; stored in ECR safe.
Master USB/DVD ARCHIVE (Safe) The “Factory Reset” image; stored in Captain’s safe.

The Restoration Drill (Quarterly)

A backup that has never been tested is a backup that doesn’t exist. The ETO should perform a “Dry Run” restoration every 3 months:

  1. Selection: Choose one non-essential workstation (e.g., Office PC or Maintenance Laptop).
  2. Isolation: Disconnect the target PC from the network completely.
  3. Restore: Wipe the drive and apply the Golden Image from your offline media.
  4. Verify: Confirm the OS boots, drivers load, and the OT software launches without error.
  5. Log: Record the “Time to Restore” for the SMS (Safety Management System).

Physical Chain of Custody

Recovery media is a prime target for theft or physical tampering. During an audit, you must show that you control access to these drives.

  • Labeling: Every drive must be labeled with the Asset ID and Backup Date.
  • Location: Drives must be stored in a fireproof/waterproof safe, away from magnetic sources (motors/transformers).
  • Integrity: Use the Identify Phase asset list to cross-reference that every Category II system has its own dedicated physical recovery drive.

Compliance Tip

If a surveyor asks, “How do you know your backups haven’t been infected?” your answer should be: “We use a 7-day rotation. At any time, we have at least one drive that has been physically disconnected and locked in a safe for longer than the current incident duration.”

Next Security Phase

Integrity Verification

Integrity Verification Recovery Objective: To confirm that the underlying network infrastructure and embedded controllers (PLCs) have not been modified or compromised with persistent backdoors. Before reconnecting a restored system to the ship's netw...

Continue to Integrity Verification →
Scroll to Top